You can never be too ready for a ransomware attack. But what does it really take to cover all the bases? Enter Eric Escobar, Secureworks Principal Security Consultant, who lives and breathes ransomware preparedness. Hear how Eric and his team take on the role of “ethical hackers,” simulating real-world attacks to uncover vulnerabilities. Discover the importance of thorough penetration testing and looking at your risks from every possible angle. Hear how Secureworks helps companies prepare for the worst — with the very best in offensive and defensive security.
What We'll Cover
Common ransomware attack vectors
Secureworks® holistic approach to ransomware preparedness
Real-world examples of customer engagements
Deep-dive into “pentesting” and why it’s so important
Safeguarding compliance with regulatory requirements
Secureworks Interview with Eric Escobar
Sally : Hi everyone and a warm welcome to a new episode of Let's Talk SoC. Today we're focusing in on the critical topic of ransomware preparedness. And to explore all the latest insights, I'm delighted to be joined now by Eric Escobar, Principal Consultant and Wireless Lead at Secureworks. Welcome Eric!
Eric: Hey, how's it going, Sally?
Sally : Ah, all good. Very lovely warm weather as well. So, it's a lovely way to spend the rest of the day, honestly, Eric, drilling into this really important area. But maybe as a place to start, could you share a bit more about yourself and particularly your role at Secureworks as well?
Eric : Yeah, absolutely. So, I've been at Secureworks for probably about seven years now. It's the absolute best job in the world. On any given day, I am compromising our customers all in the name of making them more secure and making it so a real threat actor, a real bad guy can't break in, compromise and steal ransomware, do any of those nefarious things you read about.
Sally :Absolutely. And it affects every single one of us, doesn't it? In terms of individuals…
Eric : Not wrong.
Sally : …families, work, life, etc. really is right up there as a concern that we all share. And I'd love to find out a bit more about your role kind of as a white hacker, so to speak. What have you kind of that involved basically? But also what are the most kind of significant attack vectors that you're dealing with at the moment you could share about, particularly perhaps around ransomware?
Eric : Yeah, absolutely. So, with ransomware, somebody basically needs to compromise your systems in order to lock up your files. If you're not familiar with what ransomware is, it's basically where a threat actor like myself or someone in the real world, what they'll do is they'll access a system and they will encrypt it. So, they'll make it unreadable to you without the, you know, the special key, so to say. And so really ransomware is just one of the tail-end of how a company gets compromised. You know, but there are a ton of other different ways that companies can get compromised for a multitude of different reasons. Sometimes they might be compromised to steal intellectual property information. Sometimes they'll get compromised in order to steal user information, to steal proprietary data, code. If it's like a hospital system, maybe they want patient data. So, all of the different stuff, those are all targets of threat actors that are out there. And ransomware is just that tail-end of, hey, how can we monetize the access that we have? And so you'll notice we have all the crazy boxes behind myself and those are a lot of the different tools that we do for either physical assessments where we're trying to physically break in somewhere or hardware-based assessments where I'm trying to de-solder chips and gain access to firmware and all that kind of stuff. So, it really just goes down the whole rabbit hole of compromise, but really at the end of the day, that's what ransomware is. It is locking up your files so that you have to pay the ransom in order to gain access to them again.
Sally : I think you really brought to the fore as well just the dynamism really of the space with so many different kind of new threat vectors as well coming together. Also, more collaboration of bad actors too and just how different things come to the fore. Like for me I'm doing a lot of work in energy at the moment. So, security and energy again rising up there and even new threats there kind of from ransomware to killware as well. So, I mean really, really dynamic space. So ,A, thank you for the work you're doing there Eric, but B, I wanted to flag as well some of the amazing work you're doing at things like Devcom. I was reading about that as well. literally the man I think to kind of identify any challenge actually from I'm seeing your success rate and things like wireless CTF. Very, very impressive. I thought that was excellent. So really great example there as well. Some of the work Eric does outside of Secureworks too, in terms of kind of identifying challenges and really bringing on new talent too. So I wanted to mention that. I love that. Also, for the audience today, perhaps going back to the ransomware subject, you know, in a bit more detail. And again, appreciate me sometimes need to be anonymous about this from, from client case studies, but perhaps we could share kind of a real world example of how you've supported and how you've facilitated customers to boost their defenses more, particularly around these new emergent evolving threats.
Eric : Yeah, absolutely. So gosh, it's one of these things that if you give me seven minutes to talk about this or seven hours, I could fill that entire gap. So, I'm the goldfish when it comes to, what do we want to talk about, right? When it comes to ransomware and the scenario of how can we help our clients better defend themselves against it, the first step that we like to say is, let's see if somebody can actually do it. Let's see if a real-world threat actor can. And so that's a lot of what my role is. My role is, let's step in here. I'm going to put my bad guy hat on. and attempt to compromise your company, attempt to compromise credentials, gain access, see what hosts and servers are available, see where your files actually are, what your backup strategy is. And it's very much like going and pulling the fire alarm and seeing, hey, how do people react? Do they know who to call? Do they know the exit strategies? And in the same way, when we perform a ransomware, so we perform a ransomware simulation, essentially, is one of the offerings that we essentially do here on our team. And so that's really great because what happens then is it forces, you know, the C-suite, the executives, it forces the technical people all to say, do we have good backups? If we have good backups, how easily can we recover from them? Do we have critical files, you know, accessible from multiple different backup locations? Are all of our backups in the cloud? Do we have some local? Are they offline? What could a threat actor basically have? And so that's the first step of that is basically identifying and saying, hey, what could happen to you if a real-world threat actor comes? And then obviously since we're Secureworks, we have the ability to call upon our incident response team, which they have, they do thousands of these engagements every single year where they're evicting threat actors and then having to basically decrypt ransomware packages and payloads. And then we also have obviously the Taegis platform, which is what prevents a threat actor from potentially even. gaining access to your network before they can even try and ransomware you, right? So that's kind of the three-prong attack that we have. I'm on the adversarial side, but we obviously work closely with the two other prongs of the company as well.
Sally : Fantastic. Excellent. So, I love that. So essentially you're kind of doing a kind of taking the temperature in many ways, identifying where your gaps and weaknesses may be kind of before the threat actor does essentially. But also what I've seen as well, and again, there's some organizations I've worked with directly, I've loved the fact that this facilitation, that word there, I think springs to mind about what you then do from that, what actions you can take, but also kind of splitting it not just from a leadership perspective, but from a tech one and how you align those together as well. I've seen some great work around that. And within this too, like the role of pentesting, I think possibly has never been more important. Obviously there's different flavors of this too, isn't there, in terms of say external and physical, but also wireless, internal, and very specialized as well. Perhaps we could drill into that, about why pen tasting is kind of making a real difference at the moment, but also kind of what those different flavors bring and why one might be more beneficial in one context over another.
Eric : Oh gosh, Sally, again, you give me seven hours I could talk about this for days and days and days. This is what I live, breathe, and eat. If you could see…
Sally : Brilliant.
Eric : …on my other screen right now, I'm cracking around 5,700 passwords that I've compromised from an organization, and they're all spinning on several graphics cards that you would normally use to play video games, but now they're repurposed into cracking passwords. And again, the…
Sally : love it.
Eric : …whole purpose of this is to basically say, are there weak passwords in this environment for this company, right? And so... When you talk about pen testing and why it's so important, really it's the tip of the spear, right? This is how somebody's going to get in. And so we do external penetration tests where we try and compromise your organization from the public internet and not just so much, hey, can we compromise your servers that might be on the public internet, but what does the public internet know about you? Have you been involved in breaches? Do you have source code that's in something like GitHub? Do you use any cloud products like Officer 365, Azure, Google Cloud? These are all vectors with which attackers and threat actors, that they can try and compromise any one of our customers. We do internal tests where we basically simulate what would happen if an end user were to click on a malicious email, plug in a thumb drive, or if you just had a malicious user that meant to do harm to the company. What does that look like and what could they do if they are already inside your network and they aim to do something nefarious to you? We have, you mentioned the more exotic things that you can do as far as pen testing goes. I'm a wireless technical lead, and so as a part of that, we try and compromise your organization from the wireless perspective. So, can we compromise your guest network? If your company does have a guest network, can we use it to pivot into your corporate network? Can we use it to bypass multifactor authentication? For your corporate wireless, can we basically then go from there and say, hey, we are able to gain access to that if there's not like certificates in place or any of the other number of protections that are in place? And basically, just like can we gain access to the squishy parts of the organization? Or the crown jewels and the crown jewels are different for absolutely every organization and that's where we come in. We say, “hey where are the things that are sensitive,” and we are going to basically write the roadmap of how a threat actor is going to Is going to be able to access those resources and why that's really powerful is that now if you have a company that has say, you know half a million dollars of budget to spend on security tooling we can now focus that budget down and say, hey, you know what? The things that you thought matter, well, that's not actually how we were able to compromise your company. So, instead invest your remaining budget into these different specific areas that would stop a real-world threat actor like myself. And so that's a lot of the power as far as like those basic pen testing offerings that we have. But then we go down like the sliding spectrum of like physical access. So, you know, you'll see behind me, there's over, over my shoulder over here. There's a hard hat. There's a tool that's under the door tool. Um, and basically with those, we do physical pen tests where we try and physically compromise, pick locks, clone key cards, you know, try and do social engineering. Um, and again, those are important because, uh, the person that's sitting in the chair behind a workstation is sometimes the weakest link and they'll allow you in and allow you past MFA and two factor authentication. So doing those types of physical engagements for larger companies are, they're huge because that's where you're putting your training, your money and your resources into your facilities and your staff. And then we even go down the more fun route, which is like more of our red team offering where we essentially try and come in completely cloak and dagger. And then we have purple team offerings where we can essentially work with the security team that's already in place and say, hey, did you see this? If you didn't see it, let's start fine tuning your alerting so that you can more actively detect somebody like myself when they're in your network. So, we basically do a ton of different scenarios. I mean, we'll even go so far as we have a scenario called lost laptop, where we will basically say, hey, say your CFO went to the gym and put their laptop in their gym bag or in their car, and they come back out to their car and they say, uh-oh. Laptop's gone and we simulate what happens there. Can we compromise that hard drive? What ends if they only put their computer to sleep? Those keys are still in memory. And that's where we use the tools behind me right here to basically, you know, solder things to different chips, keep everything cool, extract encryption keys from memory and then gain access to that. And so all that to say that pen testing, that's why it's tip of the spear is because it can help you allocate resources and find out real ways that a threat actor is actually going to try and breach your company, your organization, or even if you're just a VIP, how somebody can target you.
Sally : I love the holism there of all the different aspects you're considering. I mean, literally as multi-layer in terms of the support that you're giving there. And when you mentioned about that kind of VIP aspect as well, you reminded me of a different example too about, for example, on social media, where quite recently has been an uptake, for example, in C-suite being targeted as well and simulation testing. So again, if you get a message you think is from that source, what that opens up, that kind of trickle effect then of communications. And they found the weak link to be, for example, the communication around an incident. So again, stimulation for all types of roles, not just tech facing roles, you know, from a hundred percent point of view, because every role is tech and data facing to such an extent now. So, making sure everyone knows their role there, I think is absolutely critical too. So, simulation in all those different aspects you were talking about, love the fact you brought that to the fore, it's brilliant. And I was going to ask you there about some of the key kind of benefits of doing this approach. You brought out so many there, very, very naturally. For me, I was going to talk about validation and assurance. I think that's so, so important. But also, you mentioned there about alerts very briefly too. I think another benefit there is helping you to kind of sort through some of the noise there. So, you can really identify what the, say high fidelity alerts might be. Particularly when we look at some of the overload in security teams today, but also doing more with less as well and issues like tool sprawl, for example, too. So again, I think this approach you're mentioning there really helps you to filter through and make the very, very best of your security investment.
Eric: Yeah, and you hit the nail on the head. That's the whole point of it. Is that it's not for me or my team to come in and say, hey, we're the bad guys. And like, look how cool and good we are. It's to say, hey, this is what is really out there in the real world. This is what you have to defend yourself against. And let's put some reality around it. You know, so again, you can fine tune those alerts. Cause that's one thing too, is that if you want to see absolutely every single alert that comes in, there's millions alert generated by a single company any given day. And the key part of that is to find the couple of alerts that say, hey, there's a threat actor in your environment. You need to respond to this versus having to sift through all the noise that's out there. That is one of those things that, yeah, with limited staffing, with limited teams, or even teams that maybe aren't as sophisticated, trying to find a way in which that they can filter that out, sift through the noise, and then stop somebody, stop a threat actor before they do real harm into the environment.
Sally : I couldn't agree more and maybe just a final point on that too. Also, another aspect that changes continually too, but areas like compliance as well. I think it can be really supportive there, whether you're talking about things like HIPAA or maybe FFIEC, I mean, so many different ones. I think the geographical difference is there. Again, really interesting and they give a lot of support, but they can also add complexity too. So how you're supporting this about making sure that compliance is kind of by design, so to speak, is also an important part of that confidence as well.
Eric : Yep, absolutely and so it's one of those things that we do testing for, you know, a wide variety of industries. You mentioned, you know, HIPAA, HIPAA's like, that's healthcare. We compromise hospitals day in and day out. And that's one of those things that I have a vested interest in making sure that hospitals are safe. My daughter was born in a hospital. My son was born in a hospital. I want to make sure that those…
Sally : Definitely.
Eric: …hospitals are secure. You know, I'm a human that lives in the real world as are, you know, every hacker. And so, my whole goal is to make sure that those are secure. And so, safeguarding that information, making sure that they're compliant and they fit within those compliance regimes is one of those things where, I want to make sure that information is safeguarded in a particular way that is segregated from other less important pieces of information or data on a network. And then when you talk about basically that health and life safety, we do so much testing for operational technology, OT environments. Before I became a hacker and went to the dark side, I have a degree in civil engineering. I'm a registered civil engineer. So, I know what it means when you see all this critical infrastructure that's now connected to the internet. Now you see sensors that are wireless. You see all these different life and safety things that are now on the internet and at the mercy of threat actors that might mean to do it harm, might mean to take it offline, or might mean to make the alerts unusable at some point. All that to say, yeah, I mean, that's my whole end goal is to make sure that the relevant teams that are safeguarding it, that we basically prop them up and say, hey, we're setting you up for success and letting you know what it looks like when a real bad guy comes knocking on your door.
Sally : I love that, setting you up for success. That's very, very well said, Eric. And I think with the kind of the speed and scale sophistication of changes we're seeing in this space at the moment, I think what you're doing, and particularly that holistic approach that you've brought to the fore there across those different layers is absolutely critical. Plus, the education and everything you do from a threat-intel point of view as well. The currency of that and the value of sharing that for the community I think is so, so important too. So. I totally agree with you. You could definitely do seven hours on this. Couldn't we? We're really good.
Eric : Oh, definitely.
Sally : We have to come back, Eric, I think. And perhaps we can do another kind of hackathon approach as well, something more in the wireless CDFA.
Eric : Or I could just do show and tell of all the different things that are behind me because
Sally :I like that and I think we should do. What's behind you today? I think we should do that. We could have a little show there.
Eric: Like this is a graphics card where it's like Oh, I could crack trillions of passwords on this thing. No problem at all, right? And then I have all the boxes behind me. So again, I'd be happy to come back and do a show and tell.
Sally : I love it. We'll have to do that. And again, I'm going to end with the note you did here. So here's my cold coffee from earlier, but putting this into context, kind of five of those, if you buy those from a coffee shop a week, that's kind of your entry price to start a ransomware attack today. So again, why this matters so much as well, price of entry for so many has gone down too. So, coming together, sharing information like this makes a big difference. I love the demos in the background, Eric, it's awesome. Thank you, so much. Really appreciate you joining us today.
Eric : Awesome. Absolutely, Sally. Have a good one.
Sally : Thank you and thank you all for watching and listening to. It's been another episode of Let's Talk SoC. We'll be back soon for more insights into the cyber security industry with Secureworks. Thanks for all for joining us.